tag:blogger.com,1999:blog-13756280.post6470070477162852024..comments2015-03-02T22:46:06.360-08:00Comments on Jeremiah Grossman: Microsoft announces Black Box, White Box, and WAFJeremiah Grossmanhttp://www.blogger.com/profile/05017778127841311186noreply@blogger.comBlogger10125tag:blogger.com,1999:blog-13756280.post-35651609001327567292008-06-27T21:53:00.000-07:002008-06-27T21:53:00.000-07:00sethf - Please remember that MSSCASI is a static c...sethf - Please remember that MSSCASI is a static code analysis tool. It wouldn't know that DataLayer.Database.ExecSQL executes a dynamic SQL.<BR/><BR/>For wrappers written in the same page (or included files), it will generate 80420 warnings. In this case, I assume this is a COM component installed on the box so it wouldn't know that it executes a dynamic SQL.<BR/><BR/>You can however use the following annotation in the code. It will then detect vulnerable paths that lead to this API.<BR/><BR/>' @@embed attach __VBS_EXECSQL(obj,x) { __sql_pre_validated(x) }<BR/><BR/>This is a very rare case that we missed to document, will cover it in the next revision.<BR/><BR/>Thanks,<BR/>Bala NeerumallaBala Neerumallahttp://blogs.msdn.com/sqlsecuritynoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-67984401564664057982008-06-26T18:36:00.000-07:002008-06-26T18:36:00.000-07:00Good tip.However, the MSCASI isn't all it is crack...Good tip.<BR/><BR/>However, the MSCASI isn't all it is cracked up to be.<BR/><BR/>Take the following code from a real site I am having the pleasure of auditing...the problem is pretty evident. I tested the script on a handful of pages, including login scripts, update pages, and more...and nothing. It did work fine with the sample that came in the package.<BR/><BR/>Due to the very high failure rate I have experienced, I can't trust it...so, thanks for nothing MS.<BR/><BR/><BR/>ID=Request.QueryString("ParentID")<BR/>Password=Request.QueryString("password")<BR/><BR/>dim SQL<BR/>dim Obj<BR/>dim Rs<BR/><BR/>set Obj=server.CreateObject("DataLayer.Database")<BR/>set Rs=server.CreateObject("ADODB.Recordset")<BR/><BR/>SQL="select child.child_id, child.child_First_name, child.child_nick, child_email_address, child.child_password, child.child_dob, child.child_gender, child.child_grade, child.WebFilter, child.URLExclude, child.URLInclude, child.URLIncludeOnly, child.EmailBuddyCheck, child.AllowNonBuddy, child.ParentExclude, child.ParentInclude, child.ParentIncludeOnly, child.Lockdown, child.PasswordRequired, child.AllowSubDomain, child.IsParent, child.Child_MSAgent_Access, child.UsePopupBlocker, child.SendBuddyOnly, child.AgentReadChat, child.challengeId, child.response, child.LaunchPopup, Community_Sponsor.Community_Sponsor_HomePage, 'client/Images/Icons/' + icons.icon_file_name iconfile from child,icons,Community_Sponsor,Parents where Parents.parent_id = " & trim(ID) & " and Parents.CommunityId=Community_Sponsor.Community_Sponsor_ID and child.icon_id=icons.icon_id and child.child_state=1 and child.parent_id= " & trim(ID) & " order by isparent desc, child_id asc "<BR/>set rs=obj.ExecSQL(SQL)<BR/><BR/><BR/>set Obj=nothing<BR/>set Rs=nothing<BR/><BR/>Response.Write "Required Parameter is missing."SethFnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-45838825334062612812008-06-26T06:38:00.000-07:002008-06-26T06:38:00.000-07:00@Ivan, I meant no disrespect. We all know ModSecur...@Ivan, I meant no disrespect. We all know ModSecurity rulez. :)Jeremiah Grossmanhttp://www.blogger.com/profile/05017778127841311186noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-1133667644102517472008-06-26T05:44:00.000-07:002008-06-26T05:44:00.000-07:00You are doing ModSecurity great injustice when you...You are doing ModSecurity great injustice when you say that URLScan is equivalent to it. I don't mean any disrespect to URLScan, but we try harder. I know you didn't mean it like you said it, but for the sake of your readers not familiar with ModSecurity I feel compelled to clarify.<BR/><BR/>URLScan is useful, but limited. For example, as far as I am aware, it can only act on the request line and the request headers, but it doesn't do anything about the payload (e.g. POST). Conceptionally it is more similar to mod_rewrite, with some web security functionality added.<BR/><BR/>ModSecurity, on the other hand, is focused on pre-processing transaction data, avoiding making any choices for the user, and giving her a bunch of tools (e.g. the rule language, transformation functions, persistent storage, logging, XML parsing... I could go on) to enable her to do whatever she wants. It's not only different to URLScan in terms of what you can do with it, but there is a significant difference in the approach.Ivanhttp://www.blogger.com/profile/02751997639253304259noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-40833897463068423532008-06-25T19:08:00.000-07:002008-06-25T19:08:00.000-07:00@billy:I agree that the DB schema extraction is ac...@billy:<BR/>I agree that the DB schema extraction is actually good for reducing the FP (need to figure out the performances about the FN then...), but the crawler's limitations seems to be very bothering for a full website automated audit, aren't they?<BR/>This said, the tool doesn't seem that useful... but I didn't test it personally.romainhttp://rgaucher.infonoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-77194087578838451142008-06-25T12:55:00.000-07:002008-06-25T12:55:00.000-07:00I agree it would be pretty lame if we were just th...I agree it would be pretty lame if we were just throwing a 'OR and looking for an ODBC error. This from our FAQ might help:<BR/><BR/>Q: How do I know these vulnerabilities are real?<BR/><BR/>A: When Scrawlr detects what it thinks is a SQL Injection vulnerability, it will try to extract the database name and type, as well as the names of all the user defined tables in the database. This proves that data extraction is possible and that the SQL Injection vulnerability is real.Billy Hoffmannoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-12866116164481319832008-06-25T09:14:00.000-07:002008-06-25T09:14:00.000-07:00I made a test of the toolI'm going to test the sta...<A HREF="http://www.hackerscenter.com/index.php?/Blogs/2819-HP-and-MS-give-us-a-new-SQL-Injection-tool.html" REL="nofollow">I made a test of the tool</A><BR/><BR/>I'm going to test the static source code analysis tool. That in my opinion makes Scrawlr useless if it really worksZinhohttp://www.blogger.com/profile/17178561136430555875noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-39890592896628286332008-06-25T06:19:00.000-07:002008-06-25T06:19:00.000-07:00http://w3af.sourceforge.net/http://w3af.sourceforge.net/Matt Pressonhttp://www.blogger.com/profile/02537815584811632732noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-73190875678050456952008-06-25T06:11:00.000-07:002008-06-25T06:11:00.000-07:00I've already tested scrawlr, I can deal with the a...I've already tested scrawlr, I can deal with the auth issue, as auth is realistically a much lower threat wrt automated SQLis, same with blind. Lack of database retrieval is not an issue for POC because all you need is an error message. But the crawl limit is ridiculous, my scan died 20% of the way through due to this limitation...might be nice for home use against Betty's cookie site on mysql but I see this tool less as an act of social compassion and more as a marketing ploy (which is apparently working) unless they yank this arbitrary page limit.<BR/><BR/>--EponymousAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-31607692644667149622008-06-25T05:12:00.000-07:002008-06-25T05:12:00.000-07:00Ouch, I didn't read the limitation before. What is...Ouch, I didn't read the limitation before. What is that tool good at then? <BR/>Throwing ' OR 1=1-- at all get parameters? Open-Source web apps scanners are doing this for ages (and they handle POST parameters ;))romainhttp://rgaucher.infonoreply@blogger.com